Primary

Context

Apache OFBiz Cross-Site Scripting, Path Traversal, and Code Injection Vulnerability

Vulnerability

Patched

A vulnerability in Apache OFBiz prior to version 24.09.06 allows for improper neutralization of input during web page generation, leading to cross-site scripting (XSS). Additionally, the vulnerability includes improper limitation of pathname to a restricted directory, allowing path traversal, and improper control of code generation, resulting in code injection. Exploitation of this vulnerability could lead to arbitrary file writing, stored XSS, and remote code execution in the Catalog Manager.

Impact

Exploitation of this vulnerability could result in arbitrary file writing, stored cross-site scripting, and remote code execution in the Catalog Manager.

Remediation

Users are advised to upgrade to Apache OFBiz version 24.09.06 or later, which addresses this vulnerability.

Added: May 19, 2026, 10:30 AM

Updated: May 19, 2026, 10:30 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

5.2

remediation

3.1

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

5.2

remediation

3.1

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache OFBiz Cross-Site Scripting, Path Traversal, and Code Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache OFBiz

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating